Editorial: How Zoom Bombed

Photo credit: iStockphoto/Oceloti

Zoom was everywhere. Even the U.K government used it for daily meetings and briefings. It topped the prestigious Android and iOS charts and added to our modern vocabulary with terms like Zoombombing (more of that later).

However, fame made the company vulnerable. Glaring cracks in its security mantle emerged in newspapers and magazines who hardly knew the company existed months before. Soon, fame turned into infamy.

Zoom buckled under the pressure, lawsuits followed, and even Elon Musk’s SpaceX banned it as did the U.K. Ministry of Defense. The FBI is now even warning schools of dangers of using Zoom.

It is a tale that has a hidden warning for today’s startups as they try to upend larger enterprise tools as employees work from home.

The rise of Zoom

Before the pandemic, video conferencing was already seeing soaring adoption. Grand View Research predicted this part of the industry will reach USD 6.7 billion by 2025, growing at a CAGR 9.2%.

Zoom’s chief attraction was its simplicity. For users, it was easy to start a session and was stable. That it was free for unlimited meetings and for 40 minutes if you have three or more participants also helped.

These features made Zoom a hit for entrepreneurs who just needed that time for quick huddles or client meetings and caught out players like Microsoft Skype that were lost in a connected world. It soon gained popularity in the corporate world—which was at the time focusing on moving from audio conferencing—and in late 2018 Zoom reported that its user base included 58% of the Fortune 500.

Another reason for Zoom’s popularity was that it did not come with a range of confusing add-ons or alter ego packages. It simply rolled video conferencing, online meetings, messaging, and conference room support into one simple package. For end users, it made sense. 

Its API strategy gave Zoom an additional advantage. It allowed the company to entrench itself with other rising stars early like Atlassian and Dropbox, while working well with Slack and potential competitors like Polycom, Logitech, and others.

Its biggest rival was Cisco WebEx. Both had different strategies. While Zoom focused on simplicity, WebEx offered choice and control, including kicking unwanted people off a videoconference session and easily transferring files.

Then the pandemic occurred, and millions of workers had to decide on how they want to stay connected to the rest of the world over home networks. For many, Zoom’s ease of use and wide integration with other popular apps made it a straightforward choice.

Zoom boomed.

The fall of Zoom

Then, Zoom sputtered.

Users were seeing trolls entering video conference calls screaming obscenities. A simple Google search with keyword “zoom.us” exposed unprotected links. Public meeting links were also found littered across social media sites.

The company advised users to change the default settings, such as disabling “Join before host” and enabling “Waiting room”, while not using your Personal ID and instead generating a random meeting ID. But users were already worried. 

The biggest problem was end-to-end encryption—in fact, the use of that phrase. A report in the Intercept showed that Zoom “falsely marketed” that its meetings were “end-to-end encrypted.” For true end-to-end encryption, Zoom could not access any part of the meeting.

The company said it  meant “encrypted” and not “end-to-end encrypted.” In a blog post, Zoom’s chief product officer Oded Gal wrote “Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

Some major companies and organizations did not buy the explanation. Zoom was asking for other companies to trust them as they hold the keys. Security-minded companies and users started asking questions about what happens when governments force Zoom to hand over recordings of sensitive meetings. That a new lawsuit accusing the company of illegally sharing information with Facebook just made it worse.

The chief executive officer of Zoom, Eric Yuan, finally apologized, admitting to the security shortcomings. He said that “we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

Concrete steps, like focusing all development resources on security in the coming weeks, were announced. But it is too early to know these actions were too late.

Symptom of a bigger issue

Zoom’s troubles are not unique. Startups and high-growth companies often face the same challenges as they balance security and privacy with user growth. Zoom’s only gained media attention because of its sudden popularity, which in turn put the spotlight on its privacy and security practices. And under the glare, it faltered.

But Zoom’s debacle is also a litany of missed opportunities. Instead of admitting its shortfalls in a clear message right from the onset, it tried to redefine what everyone thought of as end-to-end encryption. It ended up sounding as if the product was not meant for layman after all or that it is not ready for safeguarding user privacy. 

The issue lies with attitude. In meetings and interviews with bank CIOs and CDOs, they see the same problems with fintechs and startup companies. These companies may be brilliant and offer fresh benefits, but many are not cut out for the highly strung, security-sensitive corporate culture where you need to be crystal clear on security and privacy. And their biggest issue is not that they are not ready for corporate scrutiny—every vendor goes through similar issues—but how they handle it.

It remains to be seen how well other startup tools built for enterprises will fare under scrutiny as work from home becomes a corporate normal in the first half of 2020. It offers many the ability to redefine the corporate IT landscape and unseat incumbents; but it can also turn them into ticking time bombs.

Photo credit: iStockphoto/Oceloti